## Last changed: 2012-10-15 16:40:14 BST version 12.1R3.5; system { host-name router.remotedomain.co.uk; domain-name remotedomain.co.uk; domain-search remotedomain.co.uk; time-zone Europe/London; root-authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxx"; } name-server { 212.159.13.49; 212.159.13.50; 212.159.6.10; 212.159.6.9; } login { user me { full-name "me"; uid 2000; class super-user; authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxx"; } } user monitor { full-name "Monitor User"; uid 2001; class read-only; authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxx"; } } } services { ssh { protocol-version v2; connection-limit 3; } xnm-clear-text; dns { max-cache-ttl 600; max-ncache-ttl 300; forwarders { 212.159.6.10; 212.159.6.9; 212.159.13.49; 212.159.13.50; } } web-management { management-url jweb-noaccess; http { interface [ vlan.0 st0.0 ]; } https { pki-local-certificate SRX; interface pp0.0; } session { idle-timeout 30; session-limit 3; } } dhcp { maximum-lease-time 10800; default-lease-time 3600; domain-name remotedomain.co.uk; name-server { 212.159.6.10; 212.159.6.9; 212.159.13.49; 212.159.13.50; } domain-search { remotedomain.co.uk; } pool 192.168.0.0/24 { address-range low 192.168.0.60 high 192.168.0.99; router { 192.168.0.254; } } } } syslog { archive size 100k files 3; user * { any emergency; } host 192.168.0.222 { any any; port 514; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server 93.186.33.42; server 93.186.33.42 prefer; server 217.114.59.66; } } interfaces { fe-0/0/0 { description "PPPoE via ADSL Modem"; unit 0 { encapsulation ppp-over-ether; } } fe-0/0/1 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/6 { description "Interface connected to Grandstream GXP2020 "; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/7 { description "Interface connected to LAN"; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } pp0 { unit 0 { description "connection to ISP"; ppp-options { chap { default-chap-secret "password"; local-name "username"; no-rfc2486; passive; } } pppoe-options { underlying-interface fe-0/0/0.0; idle-timeout 0; auto-reconnect 5; client; } family inet { negotiate-address; } } } st0 { unit 0 { family inet; } } vlan { unit 0 { family inet { address 192.168.0.254/24; } } } } snmp { description router.remotedomain.co.uk; location Office; contact "me"; community public { authorization read-only; clients { 192.168.253.0/24; 192.168.25.0/24; 192.168.0.0/24; } } } routing-options { static { route 0.0.0.0/0 next-hop pp0.0; route 192.168.253.0/24 next-hop st0.0; } } security { log { cache; disable; utc-timestamp; } key-protection; pki { ca-profile SRX { ca-identity RAIDSSL; revocation-check { disable; crl { disable on-download-failure; } } } } ike { proposal ike-proposal-cfgr { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } proposal ike-proposal-aes-256 { authentication-method pre-shared-keys; dh-group group14; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } policy ike-policy-cfgr { mode main; proposals ike-proposal-aes-256; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxx"; } policy ike_pol_wizard_dyn_vpn { mode aggressive; proposals ike-proposal-cfgr; pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxx"; } gateway ike-gate-cfgr { ike-policy ike-policy-cfgr; address 111.111.111.111; dead-peer-detection { interval 30; threshold 2; } local-identity inet 222.222.222.222; external-interface pp0.0; version v2-only; } gateway gw_wizard_dyn_vpn { ike-policy ike_pol_wizard_dyn_vpn; dynamic { hostname router.remotedomain.co.uk; connections-limit 5; ike-user-type group-ike-id; } external-interface pp0.0; xauth access-profile remote_access_profile; } } ipsec { vpn-monitor-options { interval 10; threshold 10; } proposal ipsec-proposal-cfgr { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } proposal ipsec-proposal-aes-256 { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } policy ipsec-policy-cfgr { perfect-forward-secrecy { keys group14; } proposals ipsec-proposal-aes-256; } policy ipsec_pol_wizard_dyn_vpn { perfect-forward-secrecy { keys group5; } proposals ipsec-proposal-cfgr; } vpn ipsec-vpn-cfgr { bind-interface st0.0; ike { gateway ike-gate-cfgr; idle-time 120; proxy-identity { local 192.168.0.0/24; remote 192.168.253.0/24; } ipsec-policy ipsec-policy-cfgr; } establish-tunnels on-traffic; } vpn wizard_dyn_vpn { ike { gateway gw_wizard_dyn_vpn; ipsec-policy ipsec_pol_wizard_dyn_vpn; } } } alg { dns disable; ftp disable; h323 disable; mgcp disable; msrpc disable; sunrpc disable; real disable; rsh disable; rtsp disable; sccp disable; sip disable; sql disable; talk disable; tftp disable; pptp disable; ike-esp-nat { enable; } } application-tracking { disable; } utm { feature-profile { anti-virus { mime-whitelist { exception junos-default-bypass-mime; } type kaspersky-lab-engine; kaspersky-lab-engine { pattern-update { email-notify { admin-email "me@mydomain.co.uk"; custom-message "Pattern UPDATE Done"; custom-message-subject "AV UPDATE COMPLETE"; } url http://update.juniper-updates.net/AV/SRX100; interval 60; } profile junos-av-defaults { scan-options { scan-mode by-extension; scan-extension junos-default-extension; } trickling timeout 120; notification-options { virus-detection { type message; notify-mail-sender; custom-message-subject "VIRUS WARNING"; } fallback-block { type message; display-host; allow-email; administrator-email "me@mydomain.co.uk"; notify-mail-sender; custom-message "A Virus was found. Content was stopped"; custom-message-subject "A Virus was found. Content was stopped"; } fallback-non-block { notify-mail-recipient; custom-message "A Virus was found."; custom-message-subject "A Virus was found."; } } } } } web-filtering { type surf-control-integrated; surf-control-integrated { cache { timeout 1800; size 500; } profile junos-wf-cpa-default { category { Hate_Speech { action block; } Criminal_Skills { action block; } Hacking { action block; } Remote_Proxies { action block; } Adult_Sexually_Explicit { action log-and-permit; } Gambling { action log-and-permit; } Drugs_Alcohol_Tobacco { action log-and-permit; } Games { action permit; } Personals_Dating { action log-and-permit; } Sex_Education { action log-and-permit; } Weapons { action log-and-permit; } Violence { action log-and-permit; } } } } } } utm-policy junos-av-policy { traffic-options { sessions-per-client { over-limit log-and-permit; } } } utm-policy junos-av-wf-policy { traffic-options { sessions-per-client { over-limit log-and-permit; } } } utm-policy junos-wf-policy { traffic-options { sessions-per-client { over-limit log-and-permit; } } } } dynamic-vpn { access-profile remote_access_profile; clients { wizard-dyn-group { remote-protected-resources { 192.168.0.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn wizard_dyn_vpn; user { me; me-backup; } } } } flow { allow-dns-reply; syn-flood-protection-mode syn-cookie; tcp-mss { all-tcp { mss 1452; } ipsec-vpn { mss 1350; } } tcp-session { rst-invalidate-session; rst-sequence-check; strict-syn-check; } } screen { ids-option untrust-screen { icmp { large; ping-death; } ip { bad-option; security-option; inactive: spoofing; source-route-option; strict-source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 10; } land; winnuke; } } } nat { source { pool ADSL_WAN_IP_0 { address { 111.111.111.111/32; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule trust-source-nat-rule { match { source-address 192.168.0.0/24; } then { source-nat { interface; } } } } } proxy-arp { interface vlan.0 { address { 192.168.0.170/32 to 192.168.0.179/32; } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust-allow-DNS { match { source-address addr_192_168_0_0_24; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; } } policy trust-to-untrust-allow-http { match { source-address addr_192_168_0_0_24; destination-address any; application junos-http; } then { permit { application-services { utm-policy junos-av-wf-policy; } } } } policy trust-to-untrust-allow-HTTPS { match { source-address addr_192_168_0_0_24; destination-address any; application junos-https; } then { permit; } } policy trust-to-any-allow-email { match { source-address addr_192_168_0_0_24; destination-address any; application [ junos-pop3 junos-imap junos-smtp ]; } then { permit; } } policy trust-to-untrust-allow-ftp { match { source-address addr_192_168_0_0_24; destination-address any; application junos-ftp; } then { permit; } } policy trust-to-any-allow-ALL { match { source-address addr_192_168_0_0_24; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } from-zone trust to-zone jbvpn { policy trust-jbvpn-cfgr { match { source-address addr_192_168_0_0_24; destination-address addr_192_168_253_0_24; application any; } then { permit; } } } from-zone jbvpn to-zone trust { policy jbvpn-trust-cfgr { match { source-address addr_192_168_253_0_24; destination-address addr_192_168_0_0_24; application any; } then { permit; } } } default-policy { deny-all; } } zones { security-zone trust { address-book { address addr_192_168_0_0_24 192.168.0.0/24; address JOHN 192.168.0.10/32; address DAD 192.168.0.150/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { address-book { address adsl.remotedomain.co.uk 111.111.111.111/32; } screen untrust-screen; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } pp0.0 { host-inbound-traffic { system-services { https; ike; } } } } } security-zone jbvpn { address-book { address addr_192_168_0_0_24 192.168.0.0/24; address addr_192_168_253_0_24 192.168.253.0/24; } interfaces { st0.0; } } } } access { profile remote_access_profile { client me { firewall-user { password "xxxxxxxxxxxxxxxxxxxx"; } } client me-backup { firewall-user { password "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 192.168.0.0/24; range dvpn-range { low 192.168.0.170; high 192.168.0.179; } dhcp-attributes { domain-name remotedomain.co.uk; } } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } applications { application SSMTP { protocol tcp; destination-port 465; } application IMAPS { protocol tcp; destination-port 993; } } smtp { primary-server { address 192.168.0.222; login "server@mydomain.co.uk" { password "xxxxxxxxxx"; } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }